@rmdes/indiekit-endpoint-activitypub 3.9.3 → 3.10.0

package/README.md

@@ -1,6 +1,6 @@
 # @rmdes/indiekit-endpoint-activitypub
 
-ActivityPub federation endpoint for [Indiekit](https://getindiekit.com), built on [Fedify](https://fedify.dev) 2.0. Makes your IndieWeb site a full fediverse actor — discoverable, followable, and interactive from Mastodon, Misskey, Pixelfed, and any ActivityPub-compatible platform. Includes a Mastodon-compatible Client API so you can use Phanpy, Elk, Moshidon, Fedilab, and other Mastodon clients with your own AP instance.
+ActivityPub federation endpoint for [Indiekit](https://getindiekit.com), built on [Fedify](https://fedify.dev) 2.1. Makes your IndieWeb site a full fediverse actor — discoverable, followable, and interactive from Mastodon, Misskey, Pixelfed, and any ActivityPub-compatible platform. Includes a Mastodon-compatible Client API so you can use Phanpy, Elk, Moshidon, Fedilab, and other Mastodon clients with your own AP instance.
 
 ## Features
 
@@ -88,13 +88,17 @@ ActivityPub federation endpoint for [Indiekit](https://getindiekit.com), built o
 - URL auto-linkification and @mention extraction in posted content
 - Thread context (ancestors + descendants)
 - Remote profile resolution via Fedify WebFinger with follower/following/post counts from AP collections
-- Account stats enrichment — embedded account data in timeline responses includes real counts
+- Account stats enrichment — cached account data applied immediately; uncached accounts resolved in background
 - Favourite, boost, bookmark interactions federated via Fedify AP activities
 - Notifications with type filtering
 - Search across accounts, statuses, and hashtags with remote resolution
 - Domain blocks API
 - Timeline backfill from posts collection on startup (bookmarks, likes, reposts get synthesized content)
 - In-memory account stats cache (500 entries, 1h TTL) for performance
+- OAuth2 scope enforcement — read/write scope validation on all API routes
+- Rate limiting — configurable limits on API, auth, and app registration endpoints
+- Access token expiry (1 hour) with refresh token rotation (90 days)
+- PKCE (S256) and CSRF protection on authorization flow
 
 **Admin UI**
 - Dashboard with follower/following counts and recent activity
@@ -105,10 +109,18 @@ ActivityPub federation endpoint for [Indiekit](https://getindiekit.com), built o
 - Follower and following lists with source tracking
 - Federation management page with moderation overview (blocked servers, blocked accounts, muted)
 
+**Standards Compliance**
+- FEP-5feb: Search Indexing Consent — actor advertises `indexable` and `discoverable` properties
+- FEP-f1d5/0151: Enhanced NodeInfo 2.1 — rich metadata including software repository, node name, staff accounts
+- FEP-4f05: Soft Delete with Tombstone — deleted posts return 410 with Tombstone JSON-LD including `formerType` and timestamps
+- FEP-3b86: Activity Intents — WebFinger links for Follow, Create, Like, Announce intents with authorize_interaction routing
+- FEP-8fcf: Collection Synchronization — outbound follower digest headers via Fedify `syncCollection`
+- FEP-044f: Quote Posts — rendered as embedded cards (via Fedify's `quoteUrl` support)
+
 ## Requirements
 
 - [Indiekit](https://getindiekit.com) v1.0.0-beta.25+
-- [Fedify](https://fedify.dev) 2.0+ (bundled as dependency)
+- [Fedify](https://fedify.dev) 2.1+ (bundled as dependency)
 - Node.js >= 22
 - MongoDB (used by Indiekit)
 - Redis (recommended for production delivery queue; in-process queue available for development)
@@ -318,6 +330,10 @@ The plugin creates these collections automatically:
 | `ap_blocked_servers` | Blocked server domains (instance-level blocks) |
 | `ap_key_freshness` | Tracks when remote actor keys were last verified |
 | `ap_inbox_queue` | Persistent async inbox processing queue |
+| `ap_tombstones` | Tombstone records for soft-deleted posts (FEP-4f05) |
+| `ap_oauth_apps` | Mastodon API client app registrations |
+| `ap_oauth_tokens` | OAuth2 authorization codes and access tokens |
+| `ap_markers` | Read position markers for Mastodon API clients |
 
 ## Supported Post Types
 
@@ -335,7 +351,7 @@ Categories are converted to `Hashtag` tags. Bookmarks include a bookmark emoji a
 
 ## Fedify Workarounds and Implementation Notes
 
-This plugin uses [Fedify](https://fedify.dev) 2.0 but carries several workarounds for issues in Fedify or its Express integration. These are documented here so they can be revisited when Fedify upgrades.
+This plugin uses [Fedify](https://fedify.dev) 2.1 but carries several workarounds for issues in Fedify or its Express integration. These are documented here so they can be revisited when Fedify upgrades.
 
 ### Custom Express Bridge (instead of `@fedify/express`)
 
@@ -357,14 +373,11 @@ Mastodon's `update_account_fields` checks `attachment.is_a?(Array)` and silently
 
 **Revisit when:** Fedify adds an option to preserve arrays during JSON-LD serialization, or Mastodon fixes their array check.
 
-### Endpoints `as:Endpoints` Type Stripping
+### Endpoints `as:Endpoints` Type Stripping — REMOVED
 
-**File:** `lib/federation-bridge.js` (in `sendFedifyResponse()`)
 **Upstream issue:** [fedify#576](https://github.com/fedify-dev/fedify/issues/576) — FIXED in Fedify 2.1.0
 
-Fedify serializes the `endpoints` object with `"type": "as:Endpoints"`, which is not a valid ActivityStreams type. browser.pub rejects this. The bridge strips the `type` field from the `endpoints` object before sending.
-
-**Remove when:** Upgrading to Fedify ≥ 2.1.0.
+This workaround has been removed. Fedify 2.1.0 now omits the invalid `"type": "as:Endpoints"` from serialized actor JSON.
 
 ### PropertyValue Attachment Type (Known Issue)
 
@@ -411,7 +424,6 @@ This is not a bug — Fedify requires explicit opt-in for signed fetches. But it
 - **Single actor** — One fediverse identity per Indiekit instance
 - **No Authorized Fetch enforcement** — `.authorize()` disabled on actor dispatcher (see workarounds above)
 - **No image upload in reader** — Compose form is text-only
-- **No custom emoji rendering** — Custom emoji shortcodes display as text
 - **In-process queue without Redis** — Activities may be lost on restart
 
 ## Acknowledgements

package/index.js

@@ -435,6 +435,20 @@ export default class ActivityPubEndpoint {
         });
 
         if (!post || post.properties?.deleted) {
+          // FEP-4f05: Serve Tombstone for deleted posts
+          const { getTombstone } = await import("./lib/storage/tombstones.js");
+          const tombstone = await getTombstone(self._collections, requestUrl);
+          if (tombstone) {
+            res.status(410).set("Content-Type", "application/activity+json").json({
+              "@context": "https://www.w3.org/ns/activitystreams",
+              type: "Tombstone",
+              id: requestUrl,
+              formerType: tombstone.formerType,
+              published: tombstone.published || undefined,
+              deleted: tombstone.deleted,
+            });
+            return;
+          }
           return next();
         }
 
@@ -811,6 +825,21 @@ export default class ActivityPubEndpoint {
    * @param {string} url - Full URL of the deleted post
    */
   async delete(url) {
+    // Record tombstone for FEP-4f05
+    try {
+      const { addTombstone } = await import("./lib/storage/tombstones.js");
+      const postsCol = this._collections.posts;
+      const post = postsCol ? await postsCol.findOne({ "properties.url": url }) : null;
+      await addTombstone(this._collections, {
+        url,
+        formerType: post?.properties?.["post-type"] === "article" ? "Article" : "Note",
+        published: post?.properties?.published || null,
+        deleted: new Date().toISOString(),
+      });
+    } catch (error) {
+      console.warn(`[ActivityPub] Tombstone creation failed for ${url}: ${error.message}`);
+    }
+
     await this.broadcastDelete(url).catch((err) =>
       console.warn(`[ActivityPub] broadcastDelete failed for ${url}: ${err.message}`)
     );
@@ -927,6 +956,8 @@ export default class ActivityPubEndpoint {
     Indiekit.addCollection("ap_oauth_apps");
     Indiekit.addCollection("ap_oauth_tokens");
     Indiekit.addCollection("ap_markers");
+    // Tombstones for soft-deleted posts (FEP-4f05)
+    Indiekit.addCollection("ap_tombstones");
 
     // Store collection references (posts resolved lazily)
     const indiekitCollections = Indiekit.collections;
@@ -964,6 +995,7 @@ export default class ActivityPubEndpoint {
       ap_oauth_apps: indiekitCollections.get("ap_oauth_apps"),
       ap_oauth_tokens: indiekitCollections.get("ap_oauth_tokens"),
       ap_markers: indiekitCollections.get("ap_markers"),
+      ap_tombstones: indiekitCollections.get("ap_tombstones"),
       get posts() {
         return indiekitCollections.get("posts");
       },

package/lib/controllers/authorize-interaction.js

@@ -2,18 +2,21 @@
  * Authorize Interaction controller — handles the remote follow / authorize
  * interaction flow for ActivityPub federation.
  *
- * When a remote server (WordPress AP, Misskey, etc.) discovers our WebFinger
- * subscribe template, it redirects the user here with ?uri={actorOrPostUrl}.
+ * Supports:
+ * - OStatus subscribe template (legacy remote follow via ?uri=...)
+ * - FEP-3b86 Activity Intents (via ?uri=...&intent=follow|create|like|announce)
  *
  * Flow:
  * 1. Missing uri → render error page
  * 2. Unauthenticated → redirect to login, then back here
- * 3. Authenticated → redirect to the reader's remote profile page
+ * 3. Authenticated → route to appropriate page based on intent
  */
 
 export function authorizeInteractionController(plugin) {
   return async (req, res) => {
     const uri = req.query.uri || req.query.acct;
+    const intent = req.query.intent || "";
+
     if (!uri) {
       return res.status(400).render("activitypub-authorize-interaction", {
         title: "Authorize Interaction",
@@ -29,17 +32,28 @@ export function authorizeInteractionController(plugin) {
     // then back to this page after auth
     const session = req.session;
     if (!session?.access_token) {
-      const returnUrl = `${plugin.options.mountPath}/authorize_interaction?uri=${encodeURIComponent(uri)}`;
+      const params = `uri=${encodeURIComponent(uri)}${intent ? `&intent=${intent}` : ""}`;
+      const returnUrl = `${plugin.options.mountPath}/authorize_interaction?${params}`;
       return res.redirect(
         `/session/login?redirect=${encodeURIComponent(returnUrl)}`,
       );
     }
 
-    // Authenticated — redirect to the remote profile viewer in our reader
-    // which already has follow/unfollow/like/boost functionality
+    const mp = plugin.options.mountPath;
     const encodedUrl = encodeURIComponent(resource);
-    return res.redirect(
-      `${plugin.options.mountPath}/admin/reader/profile?url=${encodedUrl}`,
-    );
+
+    // Route based on intent (FEP-3b86)
+    switch (intent) {
+      case "follow":
+        return res.redirect(`${mp}/admin/reader/profile?url=${encodedUrl}`);
+      case "create":
+        return res.redirect(`${mp}/admin/reader/compose?replyTo=${encodedUrl}`);
+      case "like":
+      case "announce":
+        return res.redirect(`${mp}/admin/reader/post?url=${encodedUrl}`);
+      default:
+        // Default: resolve to remote profile page
+        return res.redirect(`${mp}/admin/reader/profile?url=${encodedUrl}`);
+    }
   };
 }

package/lib/federation-bridge.js

@@ -89,12 +89,6 @@ async function sendFedifyResponse(res, response, request) {
       if (json.attachment && !Array.isArray(json.attachment)) {
         json.attachment = [json.attachment];
       }
-      // WORKAROUND: Fedify serializes endpoints with "type": "as:Endpoints"
-      // which is not a valid AS2 type. The endpoints object should be a plain
-      // object with just sharedInbox/proxyUrl etc. Strip the invalid type.
-      if (json.endpoints && json.endpoints.type) {
-        delete json.endpoints.type;
-      }
       const patched = JSON.stringify(json);
       res.setHeader("content-length", Buffer.byteLength(patched));
       res.end(patched);

package/lib/federation-setup.js

@@ -286,10 +286,48 @@ export function setupFederation(options) {
   // Add OStatus subscribe template so remote servers (WordPress AP, Misskey, etc.)
   // can redirect users to our authorize_interaction page for remote follow.
   federation.setWebFingerLinksDispatcher((_ctx, _resource) => {
+    const interactionBase = `${publicationUrl}${mountPath.replace(/^\//, "")}/authorize_interaction`;
     return [
+      // OStatus subscribe template (legacy remote follow)
       {
         rel: "http://ostatus.org/schema/1.0/subscribe",
-        template: `${publicationUrl}${mountPath.replace(/^\//, "")}/authorize_interaction?uri={uri}`,
+        template: `${interactionBase}?uri={uri}`,
+      },
+      // FEP-3b86 Activity Intents — Follow
+      {
+        rel: "https://w3id.org/fep/3b86",
+        template: `${interactionBase}?uri={uri}&intent=follow`,
+        properties: {
+          "https://w3id.org/fep/3b86#intent":
+            "https://www.w3.org/ns/activitystreams#Follow",
+        },
+      },
+      // FEP-3b86 Activity Intents — Create (reply)
+      {
+        rel: "https://w3id.org/fep/3b86",
+        template: `${interactionBase}?uri={uri}&intent=create`,
+        properties: {
+          "https://w3id.org/fep/3b86#intent":
+            "https://www.w3.org/ns/activitystreams#Create",
+        },
+      },
+      // FEP-3b86 Activity Intents — Like
+      {
+        rel: "https://w3id.org/fep/3b86",
+        template: `${interactionBase}?uri={uri}&intent=like`,
+        properties: {
+          "https://w3id.org/fep/3b86#intent":
+            "https://www.w3.org/ns/activitystreams#Like",
+        },
+      },
+      // FEP-3b86 Activity Intents — Announce (boost)
+      {
+        rel: "https://w3id.org/fep/3b86",
+        template: `${interactionBase}?uri={uri}&intent=announce`,
+        properties: {
+          "https://w3id.org/fep/3b86#intent":
+            "https://www.w3.org/ns/activitystreams#Announce",
+        },
       },
     ];
   });
@@ -305,6 +343,43 @@ export function setupFederation(options) {
     storeRawActivities,
   });
 
+  // Handle Delete activities from actors whose signing keys are gone.
+  // When an account is deleted, the remote server sends Delete but the
+  // actor's key endpoint returns 404/410, so signature verification fails.
+  // Fedify 2.1.0 lets us inspect these instead of auto-rejecting.
+  inboxChain
+    .onUnverifiedActivity(async (_ctx, activity, reason) => {
+      // Handle Delete activities from actors whose signing keys are gone.
+      // When an account is deleted, the remote server sends Delete but the
+      // actor's key endpoint returns 404/410, so signature verification fails.
+      // Fedify 2.1.0 lets us inspect these instead of auto-rejecting.
+      if (reason.type === "keyFetchError") {
+        const status = reason.result?.status;
+        if (status === 404 || status === 410) {
+          const actorId = activity.actorId?.href;
+          if (actorId) {
+            const activityType = activity.constructor?.name || "";
+            if (activityType === "Delete") {
+              console.info(
+                `[ActivityPub] Processing unverified Delete from ${actorId} (key ${status})`,
+              );
+              try {
+                await collections.ap_followers.deleteOne({ actorUrl: actorId });
+                await collections.ap_timeline.deleteMany({ "author.url": actorId });
+                await collections.ap_notifications.deleteMany({ actorUrl: actorId });
+                console.info(`[ActivityPub] Cleaned up data for deleted actor ${actorId}`);
+              } catch (error) {
+                console.warn(`[ActivityPub] Cleanup for ${actorId} failed: ${error.message}`);
+              }
+              return new Response(null, { status: 202 });
+            }
+          }
+        }
+      }
+      // All other unverified activities: return null for default 401
+      return null;
+    });
+
   // Enable authenticated fetches for the shared inbox.
   // Without this, Fedify can't verify incoming HTTP Signatures from servers
   // that require authorized fetch (e.g. hachyderm.io returns 401 on unsigned GETs).
@@ -337,17 +412,33 @@ export function setupFederation(options) {
       ? await collections.posts.countDocuments()
       : 0;
 
+    const profile = await getProfile(collections);
+
     return {
       software: {
         name: "indiekit",
         version: softwareVersion,
+        repository: new URL("https://github.com/getindiekit/indiekit"),
+        homepage: new URL("https://getindiekit.com"),
       },
       protocols: ["activitypub"],
+      services: {
+        inbound: [],
+        outbound: [],
+      },
+      openRegistrations: false,
       usage: {
         users: { total: 1, activeMonth: 1, activeHalfyear: 1 },
         localPosts: postsCount,
         localComments: 0,
       },
+      metadata: {
+        nodeName: profile.name || handle,
+        nodeDescription: profile.summary || "",
+        staffAccounts: [
+          `${publicationUrl}${mountPath.replace(/^\//, "")}/users/${handle}`,
+        ],
+      },
     };
   });
 
@@ -740,6 +831,8 @@ export async function buildPersonActor(
     featuredTags: ctx.getFeaturedTagsUri(identifier),
     endpoints: new Endpoints({ sharedInbox: ctx.getInboxUri() }),
     manuallyApprovesFollowers: profile.manuallyApprovesFollowers || false,
+    indexable: true,
+    discoverable: true,
   };
 
   if (profile.summary) {

package/lib/init-indexes.js

@@ -244,6 +244,12 @@ export function createIndexes(collections, options) {
       { userId: 1, timeline: 1 },
       { unique: true, background: true },
     );
+
+    // Tombstone indexes (FEP-4f05)
+    collections.ap_tombstones?.createIndex(
+      { url: 1 },
+      { unique: true, background: true },
+    );
   } catch {
     // Index creation failed — collections not yet available.
     // Indexes already exist from previous startups; non-fatal.

package/lib/mastodon/routes/statuses.js

@@ -21,7 +21,6 @@ import {
   boostPost, unboostPost,
   bookmarkPost, unbookmarkPost,
 } from "../helpers/interactions.js";
-import { addTimelineItem } from "../../storage/timeline.js";
 import { tokenRequired } from "../middleware/token-required.js";
 import { scopeRequired } from "../middleware/scope-required.js";
 
@@ -166,130 +165,105 @@ router.post("/api/v1/statuses", tokenRequired, scopeRequired("write", "write:sta
       }
     }
 
-    // Build JF2 properties for the Micropub pipeline
+    // Build JF2 properties for the Micropub pipeline.
+    // Provide both text and html — linkify URLs since Micropub's markdown-it
+    // doesn't have linkify enabled. Mentions are preserved as plain text;
+    // the AP syndicator resolves them via WebFinger for federation delivery.
+    const contentText = statusText || "";
+    const contentHtml = contentText
+      .replace(/&/g, "&")
+      .replace(/</g, "&lt;")
+      .replace(/>/g, "&gt;")
+      .replace(/(https?:\/\/[^\s<>&"')\]]+)/g, '<a href="$1">$1</a>')
+      .replace(/\n/g, "<br>");
+
     const jf2 = {
       type: "entry",
-      content: statusText || "",
+      content: { text: contentText, html: `<p>${contentHtml}</p>` },
     };
 
     if (inReplyTo) {
       jf2["in-reply-to"] = inReplyTo;
     }
 
-    if (spoilerText) {
-      jf2.summary = spoilerText;
+    if (visibility && visibility !== "public") {
+      jf2.visibility = visibility;
     }
 
-    if (sensitive === true || sensitive === "true") {
+    // Use content-warning (not summary) to match native reader behavior
+    if (spoilerText) {
+      jf2["content-warning"] = spoilerText;
       jf2.sensitive = "true";
     }
 
-    if (visibility && visibility !== "public") {
-      jf2.visibility = visibility;
-    }
-
     if (language) {
       jf2["mp-language"] = language;
     }
 
-    // Syndicate to AP only — posts from Mastodon clients belong to the fediverse.
-    // Never cross-post to Bluesky (conversations stay in their protocol).
-    // The publication URL is the AP syndicator's uid.
+    // Syndicate to AP — posts from Mastodon clients belong to the fediverse
     const publicationUrl = pluginOptions.publicationUrl || baseUrl;
     jf2["mp-syndicate-to"] = [publicationUrl.replace(/\/$/, "") + "/"];
 
-    // Create post via Micropub pipeline (same functions the Micropub endpoint uses)
-    // postData.create() handles: normalization, post type detection, path rendering,
-    // mp-syndicate-to validated against configured syndicators, MongoDB posts collection
+    // Create post via Micropub pipeline (same internal functions)
     const { postData } = await import("@indiekit/endpoint-micropub/lib/post-data.js");
     const { postContent } = await import("@indiekit/endpoint-micropub/lib/post-content.js");
 
     const data = await postData.create(application, publication, jf2);
-    // postContent.create() handles: template rendering, file creation in store
     await postContent.create(publication, data);
 
     const postUrl = data.properties.url;
     console.info(`[Mastodon API] Created post via Micropub: ${postUrl}`);
 
-    // Add to ap_timeline so the post is visible in the Mastodon Client API
+    // Return a minimal status to the Mastodon client.
+    // No timeline entry is created here — the post will appear in the timeline
+    // after the normal flow: Eleventy rebuild → syndication webhook → AP delivery.
     const profile = await collections.ap_profile.findOne({});
     const handle = pluginOptions.handle || "user";
-    const actorUrl = profile?.url || `${publicationUrl}/users/${handle}`;
-
-    // Extract hashtags from status text and merge with any Micropub categories
-    const categories = data.properties.category || [];
-    const inlineHashtags = (statusText || "").match(/(?:^|\s)#([a-zA-Z_]\w*)/g);
-    if (inlineHashtags) {
-      const existing = new Set(categories.map((c) => c.toLowerCase()));
-      for (const match of inlineHashtags) {
-        const tag = match.trim().slice(1).toLowerCase();
-        if (!existing.has(tag)) {
-          existing.add(tag);
-          categories.push(tag);
-        }
-      }
-    }
-
-    // Resolve relative media URLs to absolute
-    const resolveMedia = (items) => {
-      if (!items || !items.length) return [];
-      return items.map((item) => {
-        if (typeof item === "string") {
-          return item.startsWith("http") ? item : `${publicationUrl.replace(/\/$/, "")}/${item.replace(/^\//, "")}`;
-        }
-        if (item?.url && !item.url.startsWith("http")) {
-          return { ...item, url: `${publicationUrl.replace(/\/$/, "")}/${item.url.replace(/^\//, "")}` };
-        }
-        return item;
-      });
-    };
-
-    // Process content: linkify URLs and extract @mentions
-    const rawContent = data.properties.content || { text: statusText || "", html: "" };
-    const processedContent = processStatusContent(rawContent, statusText || "");
-    const mentions = extractMentions(statusText || "");
 
-    const now = new Date().toISOString();
-    const timelineItem = await addTimelineItem(collections, {
-      uid: postUrl,
+    res.json({
+      id: String(Date.now()),
+      created_at: new Date().toISOString(),
+      content: `<p>${contentHtml}</p>`,
       url: postUrl,
-      type: data.properties["post-type"] || "note",
-      content: processedContent,
-      summary: spoilerText || "",
-      sensitive: sensitive === true || sensitive === "true",
+      uri: postUrl,
       visibility: visibility || "public",
+      sensitive: sensitive === true || sensitive === "true",
+      spoiler_text: spoilerText || "",
+      in_reply_to_id: inReplyToId || null,
+      in_reply_to_account_id: null,
       language: language || null,
-      inReplyTo,
-      published: data.properties.published || now,
-      createdAt: now,
-      author: {
-        name: profile?.name || handle,
+      replies_count: 0,
+      reblogs_count: 0,
+      favourites_count: 0,
+      favourited: false,
+      reblogged: false,
+      bookmarked: false,
+      account: {
+        id: "owner",
+        username: handle,
+        acct: handle,
+        display_name: profile?.name || handle,
         url: profile?.url || publicationUrl,
-        photo: profile?.icon || "",
-        handle: `@${handle}`,
+        avatar: profile?.icon || "",
+        avatar_static: profile?.icon || "",
+        header: "",
+        header_static: "",
+        followers_count: 0,
+        following_count: 0,
+        statuses_count: 0,
         emojis: [],
-        bot: false,
+        fields: [],
       },
-      photo: resolveMedia(data.properties.photo || []),
-      video: resolveMedia(data.properties.video || []),
-      audio: resolveMedia(data.properties.audio || []),
-      category: categories,
-      counts: { replies: 0, boosts: 0, likes: 0 },
-      linkPreviews: [],
-      mentions,
+      media_attachments: [],
+      mentions: extractMentions(contentText).map(m => ({
+        id: "0",
+        username: m.name.split("@")[1] || m.name,
+        acct: m.name.replace(/^@/, ""),
+        url: m.url,
+      })),
+      tags: [],
       emojis: [],
     });
-
-    // Serialize and return
-    const serialized = serializeStatus(timelineItem, {
-      baseUrl,
-      favouritedIds: new Set(),
-      rebloggedIds: new Set(),
-      bookmarkedIds: new Set(),
-      pinnedIds: new Set(),
-    });
-
-    res.json(serialized);
   } catch (error) {
     next(error);
   }
@@ -604,45 +578,6 @@ async function loadItemInteractions(collections, item) {
   return { favouritedIds, rebloggedIds, bookmarkedIds };
 }
 
-/**
- * Process status content: linkify bare URLs and convert @mentions to links.
- *
- * Mastodon clients send plain text — the server is responsible for
- * converting URLs and mentions into HTML links.
- *
- * @param {object} content - { text, html } from Micropub pipeline
- * @param {string} rawText - Original status text from client
- * @returns {object} { text, html } with linkified content
- */
-function processStatusContent(content, rawText) {
-  let html = content.html || content.text || rawText || "";
-
-  // If the HTML is just plain text wrapped in <p>, process it
-  // Don't touch HTML that already has links (from Micropub rendering)
-  if (!html.includes("<a ")) {
-    // Linkify bare URLs (http/https)
-    html = html.replace(
-      /(https?:\/\/[^\s<>"')\]]+)/g,
-      '<a href="$1" rel="nofollow noopener noreferrer" target="_blank">$1</a>',
-    );
-
-    // Convert @user@domain mentions to profile links
-    html = html.replace(
-      /(?:^|\s)(@([a-zA-Z0-9_]+)@([a-zA-Z0-9.-]+\.[a-zA-Z]{2,}))/g,
-      (match, full, username, domain) =>
-        match.replace(
-          full,
-          `<span class="h-card"><a href="https://${domain}/@${username}" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@${username}@${domain}</a></span>`,
-        ),
-    );
-  }
-
-  return {
-    text: content.text || rawText || "",
-    html,
-  };
-}
-
 /**
  * Extract @user@domain mentions from text into mention objects.
  *

package/lib/storage/tombstones.js

@@ -0,0 +1,52 @@
+/**
+ * Tombstone storage for soft-deleted posts (FEP-4f05).
+ * When a post is deleted, a tombstone record is created so remote servers
+ * fetching the URL get a proper Tombstone response instead of 404.
+ * @module storage/tombstones
+ */
+
+/**
+ * Record a tombstone for a deleted post.
+ * @param {object} collections - MongoDB collections
+ * @param {object} data - { url, formerType, published, deleted }
+ */
+export async function addTombstone(collections, { url, formerType, published, deleted }) {
+  const { ap_tombstones } = collections;
+  if (!ap_tombstones) return;
+
+  await ap_tombstones.updateOne(
+    { url },
+    {
+      $set: {
+        url,
+        formerType: formerType || "Note",
+        published: published || null,
+        deleted: deleted || new Date().toISOString(),
+      },
+    },
+    { upsert: true },
+  );
+}
+
+/**
+ * Remove a tombstone (post re-published).
+ * @param {object} collections - MongoDB collections
+ * @param {string} url - Post URL
+ */
+export async function removeTombstone(collections, url) {
+  const { ap_tombstones } = collections;
+  if (!ap_tombstones) return;
+  await ap_tombstones.deleteOne({ url });
+}
+
+/**
+ * Look up a tombstone by URL.
+ * @param {object} collections - MongoDB collections
+ * @param {string} url - Post URL
+ * @returns {Promise<object|null>} Tombstone record or null
+ */
+export async function getTombstone(collections, url) {
+  const { ap_tombstones } = collections;
+  if (!ap_tombstones) return null;
+  return ap_tombstones.findOne({ url });
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rmdes/indiekit-endpoint-activitypub",
-  "version": "3.9.3",
+  "version": "3.10.0",
   "description": "ActivityPub federation endpoint for Indiekit via Fedify. Adds full fediverse support: actor, inbox, outbox, followers, following, syndication, and Mastodon migration.",
   "keywords": [
     "indiekit",
@@ -37,9 +37,9 @@
     "url": "https://github.com/rmdes/indiekit-endpoint-activitypub/issues"
   },
   "dependencies": {
-    "@fedify/debugger": "^2.0.0",
-    "@fedify/fedify": "^2.0.0",
-    "@fedify/redis": "^2.0.0",
+    "@fedify/debugger": "^2.1.0",
+    "@fedify/fedify": "^2.1.0",
+    "@fedify/redis": "^2.1.0",
     "@js-temporal/polyfill": "^0.5.0",
     "express": "^5.0.0",
     "express-rate-limit": "^7.5.1",